Re: MS PEAP vs. EAP-TTLS

[yonesy <yonesy () gmail com>]

This is from a nice article from NWC back in 2003 which is applicable
today.  I currently use PEAP-TLS (it works perfectly).

"PEAP works in two steps. After the initial handshake between the
client and access point, a TLS (Transport Layer Security) channel is
created between the client and authentication server. All messages get
encrypted, and the RADIUS server then authenticates the client using
an EAP method--EAP-TLS or EAP-MS-CHAP (Challenge Handshake
Authentication Protocol) v2.

With TTLS (Tunneled Transport Layer Security), a TLS tunnel is
established and the client authentication parameters get exchanged.
TLS has existed longer than TTLS, but its usage has waned because it
requires extra certificates on each client.

TTLS and PEAP are similar in concept, but there are important
differences: TTLS supports other EAP authentication methods and also
PAP, CHAP, MS-CHAP and MS-CHAPv2, whereas PEAP can tunnel only
EAP-type protocols such as EAP-TLS, EAP-MS-CHAPv2 and EAP-SIM. TTLS
requires installation of client software, whereas PEAP comes ready to
run in XP Service Pack 1 on the client device, for instance. TTLS is
widely available and implemented, while PEAP is still new. But given
PEAP's backing from Cisco, Microsoft and RSA, it's likely to emerge as
the de facto authentication mechanism for 802.1x."

http://www.nwc.com/1409/1409ws13.html

Good Luck!


On Mon, 31 Jan 2005 11:09:13 -0800 (PST), Dave Lewis
<infosecdave () yahoo com> wrote:
> Hi All,
>
> Does anyone have any opinions about the merits of
> Funk's EAP-TTLS vs. MS's PEAP implimentation for WLAN?
> Any suggestions or links to resources, etc. are
> appreciated.
>
> Thanks in advance,
> Dave
>
>
> __________________________________
> Do you Yahoo!?
> Take Yahoo! Mail with you! Get it on your mobile phone.
> http://mobile.yahoo.com/maildemo


-- 
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
Failed to plan?...  Then plan to fail!!!